[messaging] WhatsApp & OWS team up
Tony Arcieri
bascule at gmail.com
Tue Nov 18 15:48:39 PST 2014
On Tue, Nov 18, 2014 at 12:01 PM, Tao Effect <contact at taoeffect.com> wrote:
> For secure communications systems, I prefer systems that no entity has a
> monopoly over, without central authorities or points of failure. They're
> more robust and less prone to tampering. The 51% attack is the worse that
> can happen with the blockchain, and it amounts only to censorship. The
> worst that can happen with a central authority, on the other hand, is total
> compromise.
>
I share similar concerns about Keybase's centralization. Beyond that,
they've created bespoke, proprietary protocols which have weird designs IMO
(e.g. the "proofs"). I expect a lot of interesting attacks against all of
the existing Keybase proofs will become possible when SHA1 second preimage
attacks are possible.
All that said, something needs to replace the SKS model. The UX of the SKS
system is horrific.
I would like to see something similar to Keybase, but open source, designed
via an open process, and such that anyone could run a server.
To that end, the key directory system proposed by Google E2E sounds like
the best approach to me.
On Tue, Nov 18, 2014 at 12:29 PM, Maxwell Krohn <themax at gmail.com> wrote:
> Storage and availability is centralized, but not trust. Clients don’t
> trust the server.
This isn't true. A server is authoritative for a user's latest key
fingerprint. In the event of a key compromise, a user needs to update their
key, but a malicious key server can perform an attack by continuing to
serve the compromised key.
I would look to a system like The Update Framework as inspiration for how
next generation key servers should be designed. Rather than writing off
these attacks, they try to systematically address all of them:
http://freehaven.net/~arma/tuf-ccs2010.pdf
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141118/34124415/attachment.html>
More information about the Messaging
mailing list